Frustration with BSD/OS 4.2 and IPFW

I am offering a ton of points for anyone that can get me through this problem!

I am a knowledgable person in linux - sysadmin for 4 years, I just aquired a BSD/OS 4.2 server which will be used to replace the linux server as soon as possible. I have been able to learn what is different and setup without problem sendmail/ samba/ ftp, etc

Here is my problem: I cant understand for anything the whole ipfw setup. It is NOTHING like the ipchains in linux.

I know that I must setup the kernel to accept IPFW, done.
I know that I will need to make a few scripts for all the rules. BUT there is NO documentation on this, oh yes I have read the man pages, but they give me all the options and flags but not the format or which file is which nor where to put anything. I AM LOST!

Now when I reboot I am told that I am not using a proper BSD filter....... Ok so I read my man pages and see that I should have sent the file rc.iprules through the ipfwasm program to make it a assembled BSD IP filter.

I have been on this for a week and I am getting very frustrated for lack of documents. I would like if possible for someone to take me by the hand in doing a very basic ipfw setup from start to finish which later I can use to be my base of a complete firewall setup.

Thanx
Shera

PS
I was not allowed to offer the 800 points that I wanted, but help me with this and we will work out a way to get it up to 800 points

-------------------- Part of answer ----------
Sorry but need to add one more comment for future ipfw people.

I have one little error in my setup, when you reboot (which I did this morning) all configs are gone.
Why? The directory of /var/run/ipfw is a cache directory, what is there only remains as long as you
dont reboot :)

So you need to change the rc.local, and the use of the ipfwcmp/ipfw commands to reflect this.

# localhost rules
$fwcmd add pass all from any to any via lo0
$fwcmd add drop all from 127.0.0.0/8 to 127.0.0.0/8

# no spoof
$fwcmd add drop all from $int_net in recv ${ext_if}

# no private
$fwcmd add drop all from 192.168.0.0:255.255.0.0 in recv ${ext_if}
$fwcmd add drop all from 172.16.0.0:255.240.0.0 in recv ${ext_if}
$fwcmd add drop all from 10.0.0.0:255.0.0.0 in recv ${ext_if} # duplicate of anti-spoof

# deny everything to firewall
$fwcmd add drop all from any to ${ext_ip} in recv ${ext_if}

# http allowances
$fwcmd add allow tcp from ${int_net} to any 80 in recv ${int_if}
$fwcmd add allow tcp from ${int_net} to any 80 out xmit ${ext_if}
$fwcmd add allow tcp from any 80 to ${int_net} in recv ${ext_if} established
$fwcmd add allow tcp from any 80 to ${int_net} out xmit ${int_if} established

# dns allowances (should be set to external dns host..but we have all)
$fwcmd add allow udp from ${int_net} to any 53 in recv ${int_if}
$fwcmd add allow udp from ${int_net} to any 53 out xmit ${ext_if}
$fwcmd add allow udp from any 53 to ${int_net} in recv ${ext_if}
$fwcmd add allow udp from any 53 to ${int_net} out xmit ${int_if}

# last rule (should be set by default, but we'll implicitly put it and use it for logging)
$fwcmd add drop log any from any to any

I dont want to delete this question becouse in my search through the internet I have found that others have asked this question without getting an answer. So I want to answer my own question to give others the chance, and not to go through the 7 headache days that I have gone through.
Excuse any misuse of terms, recall I learned this on my own.

What I leaarned about BSD/OS 4.2 IPFW and it's setup:

1. It is very powerful once you know what your doing
2. There is very little written for it
3. Inportant commands to learn: ipfw , ipfwcmp
4. Learn that that compiled rule sets go to /var/run/ipfw
5. Some commands in the man files do NOT work (ie: display)

To get ipfw to work you need to put stuff in the start up file to tell the system that you want to use ipfw and where the rule sets are..... I have found that putting this in rc.local works great. To make a very BASIC entery you could add the following lines to rc.local

First we turn on logging, and I have an echo statement so I can see that the log turned on when the computer boots. Since I wanted to be able to see only ipfw stuff in the log, I create a seprate log called ipfw.log. There is alot of stuff you can do with the log but for that you will need to read the man of ipfwlog.

Second: The line that reads: echo -n "IP forwarding: "; sysctl -w net.inet.ip.forwarding=1
Is to turn on ipforwarding itself. I didnt have to put this line, it was already in my rc.local with a # to comment it out. NOTE: you may have to compile the kernel to allow ipfw, the steps are easy and they are in the book so I wont go into that here.

Step 3: you have to tell ipfw where it's configuration files are kept. I have found that the compiled file works best from /var/run/ipfw. You can make one configuration file for every rule, or you can have one for everything coming in "input", one for everything going out "output", things that should happen apon starting ipfw "pre-input", and many more (this can be found in the man of ipfw) Just to keep this simple I have a input and output in the example but actually have also pre-input. Oh ya, file name dont matter from what I can tell, I used test-input and it worked just as well as input.bak. I use -push to shove these rules onto the whole chain. The echo commands are just for show at boot up, they are not needed.

Ok we are done with the rc.local file. Now the fun begins. I will not explain what a rule means becouse each command of the rules are well documented in the man files and the manual. But will give some not so clear, or not documented stuff here. You will be making some simple files that later you will need to compile, I like to keep things neet so inside of /etc I made a subdirectory called /etc/ipfw_rules You can really put this stuff anywhere you want it. Inside of /etc/iprw_rules I type vi input.bak (my name, you can put anything you want). In the file input.bak I put:

Now from reading I do know that the compiler I will use is ipfwcmp and it uses cpp which is a C compiler. So with little experience in C but a good book on hand :) I know that I can #define things that I will be typing over and over. You can define you lo0, your local net, your external connection ip, all those things that you will put rules on using a #define statement. For simplicity I just added two computers but could have put
#define LOCAL_NET 10.10.10.0/24
Which would have included all the local computers, but if I want to rule out one computer or another I wouldnt be able to use LOCAL_NET

All the rest of the stuff in this file is well explained with the man and manual so I wont go into it.

Save your file, input.bak :wq and now we will compile:

type the following on the command line:
ipfwcmp -o /var/run/ipfw/input /etc/ipfw_rules/input.bak
[enter}
------------ NOTE ---------
Basically this saids to use ipfwcmp and to make a file called /var/run/ipfw/input from a file called /etc/ipfw_rules/input.bak
-----------End of NOTE ---------

Now type the following on the command line:
ipfw input -replace /var/run/ipfw/input
[enter]
----------NOTE ----------
This calls ipfw to set /var/run/ipfw/input as the input rules sourse and to replace any others that I may have.

If you didnt get any errors you can now try out your new rules. Want to see how the computer sees the rule: type ipfw on a command line and hit enter, your rule should be there. Try pinging your different machines and you will see that using my sample nobody can ping in or out. This is not a useful script - it is just an example to show the basic steps.

Now if your like me and make many input scripts just to see how they will work and to play with the rules you will start filling up the /var/run/ipfw directory, make sure to clean it with rm, it will grow fast while learning :)

Writing these instructions it all seems so very easy and so very logical, but it took me 7 days to get here and alot of screeming. I hope this will help someone else that is in the same position :)

I think later I will make a web page with good instructions, becouse there is a VERY big lack of documentation for BSD/OS 4.2 out in the net.

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…

I have been running these systems for a few years now and I am just very happy with them. I just wanted to share the manual that I have created for upgrades and other things. Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…

Learn how to navigate the file tree with the shell.
Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…